MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f03cb7c4d22e4580f919f348c2f35ec39efff0ac267c0e39833baf906c6bc06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash: 6f03cb7c4d22e4580f919f348c2f35ec39efff0ac267c0e39833baf906c6bc06
SHA3-384 hash: ba01f36f543732ffa400b3869b1fb26fca08f1b312c3638718934037c88bcd7fdc7a08bddeb8114215d7e709e52da478
SHA1 hash: 94d8313b3769e059e11a73c122204f229403e823
MD5 hash: 9e589779b1777914e2fd220aa90841c1
humanhash: arizona-freddie-orange-montana
File name:proforma invoice.exe
Download: download sample
Signature AgentTesla
File size:436'736 bytes
First seen:2020-06-18 12:54:48 UTC
Last seen:2020-06-22 07:22:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (32'035 x AgentTesla, 11'191 x Formbook, 6'107 x SnakeKeylogger)
ssdeep 6144:QVEZn18yaZU2SUQzqY09+kFcj+FogMjyLR2YuTN2z3lkeC+gwzWEOmD/kZuf:QI18yQmX09pFI+FogMj6R2Sl4mxO/
Threatray 10'610 similar samples on MalwareBazaar
TLSH 0894BE67139C867DD789BE36D874812513EAB34B6F43F78F850A948A1263F86DC23742
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: trevorthomsen.com
Sending IP: 103.141.136.4
From: accounts@trevorthomsen.com
Subject: RE: Confirm revised invoice to proceed with payment ASAP.
Attachment: proforma invoice.zip (contains "proforma invoice.exe")

AgentTesla SMTP exfil server:
mail.pcandles.sa:587

Intelligence


File Origin
# of uploads :
3
# of downloads :
70
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Geo location:
NL Netherlands
Volume:
Low
Vendor Threat Intelligence
Gathering data
Gathering data
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run entry to start application
Drops startup file

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6f03cb7c4d22e4580f919f348c2f35ec39efff0ac267c0e39833baf906c6bc06

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments